I'm in the process of evaluating your product and I have some difficulties applying certificate validation during an SSL connection using an HTTPS Client/Server connection.

Maybe I'm just too dumb to understand the whole thing :(

I have 3 certificates:

1. My "Root certificate" which is self signed and has been created using your certificate tool included with the product samples -> ROOTCERT

2. One certificate for the server (Issued and signed by ROOTCERT) -> SERVERCERT

3. One certificate for the client (also Issued and signed by ROOTCERT) -> CLIENTCERT

I have loaded Certificate ROOTCERT (without private key) into a ElMemoryCertStorage attached to the ServerCertStorage-property of the server component.

I have loaded Certificate SERVERCERT (with private key) into the same ElMemoryCertStorage attached to the ServerCertStorage-property of the server component.

I have loaded Certificate CLIENTCERT (with private key) into a ElMemoryCertStorage attached to the CertStorage-property of the client component.

A:

Now I need to do this on the server with ClientAuthentication set to "True" and AuthenticationLevel set to "alRequireCert":

If a client wants to connect and has passed his certificate (CLIENTCERT) to the server I need to verify that the client is using a certificate which is valid and has been issued by ROOTCERT.

The "meta"-code for the OnCertificateValidate-event on the server would look like this:

...
If (ClientCertificate is valid) and (ClientCertificate has been issued by ROOTCERT) then validate:= True
...

B:

And this on the client:

If a server has been connected and the server has passed his certificates (ROOTCERT, SERVERCERT) I need to make sure that the client certificate which is stored in the client has been issued by one of this server certificates

The "meta"-code for the OnCertificateValidate-event on the client would look like this:

...
If (ServerCertificates are valid) and (ClientCertificate has been issued by one of the server certificates) then validate:= True
...

Now I need to do this on the server with ClientAuthentication set to "True" and AuthenticationLevel set to "alRequireCert":

JFYI: In this case you also need to handle the Client.OnCertificateNeededEx event and pass the client certificate (CLIENTCERT) to its 'Certificate' parameter (please see the corresponding section of SecureBlackbox documentation for further details).

To validate client certificate on server side, you need to add the root certificate to the certificate storage pointed by Server.CertStorage property. The validation then can be performed via the call of Server.InternalValidate() method from inside the Server.OnCertificateValidate event handler. The InternalValidate() method performs basic certificate validation.

Please consider using TElCustomCertStorage.GetIssuerCertificate() method to get the issuer's index for some particular certificate. You can verify if ROOTCERT is the parent certificate for the certificate received from the remote side in this way.

The same approach should be used to validate server certificates on client side.

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.